Automatically log in another web site

Question

I have an asp.net MVC 4 web application with a URL such as "www.domain1.com", and a new asp.net web form application that is used for ssrs reports. The asp.net web form application uses another URL as "www.domain2.com". For users to view reports, a new link named "Reports" will be created from the asp.net MVC web application site to the new asp.net web form application site.

The 2 web applications sit on the same server. A user who works with those 2 web applications sits on a same PC.

Quetsion 1: I want: if some user successfully logs in the MVC application site, he should be automatically logged in the Reports asp.net web form site after he presses that Reports link. How can I achieve this?

Question 2: How to keep the ".ASPXAUTH" cookie (that is used to check user authentication) from loss in the second site (web form application with domain of "www.domain2.com") once users are automatically logged in there in following scenarios:

• Page-to-page navigation.
• F5 to refresh/reload some web form page.
• Back and Forward button hitting within a browser (IE, FF, Chrome or whatever).

P.S. I already read the following thread, but the answer is not clear for asp.net or does not give clear details how to do so:

Automatically login to current website if user is logged in to another website

Answer 1

The phrase you need to research is Single Sign On. This is not simple if you need to be robust and serve lots of public users and your domains have different names. In a closed environment it gets easier as you don't have to take account of all the variables, you know which browsers yous support etc.

You can use a WSFederation, an OAuth provider, such as Google or Live, or you can implement a shared authentication service that your sites both access. But, there are restrictions: your specific requirement of using two separate domains will make it very difficult for you. You could also look at Claims based identity which may change your approach and make this easier for you.

###Simpler single sign-on (shared domain or sub domain)

I will look at simpler cases here as well, although if your question is taken literally you may not be able to do this. However you can see what your options are, and maybe you can change your domain names (or at least use subdomains). For sites:

• on the same domain in different subfolders(www.domain1.com/site1 and www.domain1.com/site2) this is easy, and this approach will work perfectly.
• in subdomains of the same domain (site1.domain1.com and site2.domain1.com) it is a little harder, but you can still make it work.

The basic approach is:

• Set the machine key for authentication to be the same in both web.config files

  • How To: Configure MachineKey in ASP.NET 2.0
  • Generate machine keys from the IIS manager

• If using different subdomains: Modify your FormsAuthentication cookie to be used for both site1.domain1.com and site2.domain1.com once you log someone in

   // after successful login in your login action (and in any other place, such as Register):
   HttpCookie authCookie = FormsAuthentication.GetAuthCookie(userName, 
   authCookie.Domain = "example.com"
   Response.AppendCookie(authCookie);
  

• Use a shared authentication database if you let a user login at either site instead of just the main one

Note, though, that the shared cookie for authentication is becoming increasingly hard due to browser restrictions, and this is written about in Global Network Auto-Login by Jeff Atwood himself. A full consideraton of the possible approaches is written about on meta in "How does SO's new auto-login feature work?". Again, therefore, if you have only to support a closed environment (such as your office, or a small set of customers with a known set of browsers) your life will be easier.

Shared authentication tokens and query strings

This is also possible if you are feeling brave, and if you have a shared database or service you can set up.

When a user logs in successfully on site1.com, you can setup a one-time token for that login in the database and put the details of that token into the cookie. When they get passed to site 2 you could pass that one-time token in your query string, and then within site 2 you can check to see if the token they have passed is valid. If it is then you can log them in and set their login cookie. You need to be careful with this, there are security considerations for passing what is essentially an identity within a query string.

Footnote

There is a great online MS book on claims based authentication called "A Guide To Claims-Based Identity And Access Control" (beware: pdf link), I have added it as a footnote in case of link rot.

Answer 2

This is not a trivial situation and call for use of WS-Federation or OAuth. Basically you need a third web site that you log-in to. And your two web pages would have to redirect unauthenticated requests to that page.

This will not make you authenticated on both pages at the same time but will make it look like you are. You will have 3 different cookies/sessions but it will require only a single act of passing your credentials to that third web site.

Microsoft provides you an implementation of WS-Federation in its Windows Identity Foundation.

Here are recordings from WIF Workshop that I suggest you check out.

And here you can find hints on mixing ASP.NET MVC with WIF.

As for OAuth with ASP.NET MVC here is some article that looks promising.